hpvd edited a comment on issue #8701: URL: https://github.com/apache/pulsar/issues/8701#issuecomment-737866945
@codelipenghui of course one can check this versions manually but what do you think of making it an automated routine before every release? what would help (if not already used): 1. enabling githubs alerts for vulnerable dependencies for pulsar see https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies -> if possible a bot automatically should open an issue to fix these findings 2. since possible not all vulnerablies are reported/found it may also be a idea having an dynamic/automated table of dependencies: - row 1: name of of dependency - row 2: versions of dependencies used in latest pulsar release e.g. see https://frontbackend.com/maven/artifact/org.apache.pulsar/pulsar/2.6.2 - row 3: latest version of dependency available ( if hosted at github: accessible with github api) -> before every release one should look at this table and update all (most) dependencies to their latest version (or note a hint why this is not possible at this time (e.g. incompatible changes) -> of one could automate open update issues as well, but there these may be to frequent... edit: just opened an issue for this topic https://github.com/apache/pulsar/issues/8815 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
